Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)

Achim Hoffmann <ah@securenet.de> Fri, 16 April 2010 15:17 UTC

Return-Path: <ah@securenet.de>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 009593A6B7E for <http-state@core3.amsl.com>; Fri, 16 Apr 2010 08:17:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.351
X-Spam-Level:
X-Spam-Status: No, score=0.351 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cMVX3O+6qU95 for <http-state@core3.amsl.com>; Fri, 16 Apr 2010 08:17:27 -0700 (PDT)
Received: from munich.securenet.de (munich.securenet.de [82.135.17.200]) by core3.amsl.com (Postfix) with ESMTP id C94C428C1BC for <http-state@ietf.org>; Fri, 16 Apr 2010 08:15:25 -0700 (PDT)
Received: from oxee.securenet.de (unknown [10.30.18.40]) by munich.securenet.de (Postfix) with ESMTP id DA6C627197 for <http-state@ietf.org>; Fri, 16 Apr 2010 17:15:17 +0200 (CEST)
Received: by oxee.securenet.de (Postfix, from userid 65534) id D7425140202A; Fri, 16 Apr 2010 17:15:17 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by oxee.securenet.de (Postfix) with ESMTP id A56731402024; Fri, 16 Apr 2010 17:15:16 +0200 (CEST)
Received: from oxee.securenet.de ([127.0.0.1]) by localhost (oxee.securenet.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04908-07; Fri, 16 Apr 2010 17:15:16 +0200 (CEST)
Received: from [10.30.18.9] (krakatau.securenet.de [10.30.18.9]) by oxee.securenet.de (Postfix) with ESMTP id 8E45A1402426; Fri, 16 Apr 2010 17:15:16 +0200 (CEST)
Message-ID: <4BC87EE5.2030305@securenet.de>
Date: Fri, 16 Apr 2010 17:14:45 +0200
From: Achim Hoffmann <ah@securenet.de>
Organization: SecureNet
User-Agent: who">cares?
MIME-Version: 1.0
To: Dan Winship <dan.winship@gmail.com>
References: <5c4444771002151547k75bbd0e7rfd2ccf735bdb2e37@mail.gmail.com> <u2o5c4444771004110954tfbb069ddj6f80356bc4bd47d3@mail.gmail.com> <C779AE1F-EE2B-4D87-A3F1-C91A425E339D@apple.com> <z2m5c4444771004151615r10f95fen683406b64abff6fa@mail.gmail.com> <l2j5c4444771004151627i3cc43a37n9f3783e4be04458a@mail.gmail.com> <4BC837C8.80501@securenet.de> <4BC874B4.1080103@gmail.com>
In-Reply-To: <4BC874B4.1080103@gmail.com>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: http-state <http-state@ietf.org>
Subject: Re: [http-state] Summary of discussion of Ticket 5 (Cookie ordering)
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2010 15:17:28 -0000

Dan Winship wrote on 16.04.2010 16:31:
> On 04/16/2010 06:11 AM, Achim Hoffmann wrote:
>> According application security, I already explained that web applications which
>> rely on the ordering somehow, are prone to some attacks.
> 
> Right, everyone agrees with that.
> 
>> As there is no common behaviour according this ordering in current browsers, I'd
>> recommend that the spec does not recommend the cookie ordering. This is not wrong
>> and would force web application developers to implement proper measures:
> 
> But there was already no recommended (total) ordering before, and yet

Sorry, have to disagree here.
See my (still unanswered) posting
  http://www.webappsec.org/lists/websecurity/archive/2005-11/msg00097.html
and if we look at the posting in this thread, we see that the ordering is
not unique anyhow.

IIRC the purpose is to write down the status quo today.

> some web apps did depend on IE's ordering. And the sort of developers
> who are going to write code that would depend on the exact ordering of
> cookies are the sort of developers who aren't going to read the spec
> anyway, so saying "don't assume an ordering" won't actually stop anyone.
> (Though, yes, we should say it anyway.)

:)
If the spec says "MAY have any order", they don't need to read the spec,
and security analysts can always blame the application developer without
refering the specs if something went wrong ;-)
As long as the protocol cannot ensure the correct usage (cookie odering here),
then the application developer is responsible for correct functionality of
h(is|er) application.

> Now, if it's true that there isn't a consistent ordering among the major
> browsers (which was something we didn't know at the start of the
> debate), then maybe that will be enough to solve the problem;

hmm, my first suggestion was to define a strict ordering too. But it then
has to be

  "The user agent MUST ensure following ordering: ..."

anything else is a useless attempt to get it right, but opens a wide range
of interpretations, IMHO.

> .. 5 years

damn, my posting (see above) is just 4.5 years old :-/

> ago people would test against just IE and call it good (and then blame
> Firefox if the site didn't work with Firefox), but they can't really get
> away with that any more.

Hope this helps to make the security/quality impact better understandable
for such a simple thing like "cookie odering".
Achim